[Bro-Dev] #829: terminate called after throwing an instance of 'std::logic_error'
Bro Tracker
bro at tracker.bro-ids.org
Thu Jun 14 15:10:39 PDT 2012
#829: terminate called after throwing an instance of 'std::logic_error'
-----------------------------+------------------------
Reporter: Tyler.Schoenke | Owner:
Type: Merge Request | Status: new
Priority: Normal | Milestone: Bro2.1
Component: Bro | Version: git/master
Resolution: | Keywords:
-----------------------------+------------------------
Comment (by Tyler.Schoenke):
Replying to [comment:13 jsiwek]:
> If you `git checkout fastpath && git pull` and rebuild, I included in
the error message the value of `ip->NextProto()` that it doesn't like, if
you could tell me what that is and whether it's consistent across crashes,
that might give me a hint.
>
> Also I'm curious about what kinds of weirds are in weird.log, `awk 'NR >
7' < weird.log | cut -f7 | sort | uniq` should give all unique ones, but
mostly I'm wondering about any starting with "unknown_protocol_".
Here are the unknown protocols:
{{{
unknown_protocol_103
unknown_protocol_47
unknown_protocol_50
unknown_protocol_97
}}}
Below is the output of multiple back-to-back crashes. I also noticed it
is crashing with two different error messages.
{{{
root at browrk3:~/test# bro -w test.pcap -i eth1 record_all_packets=T
<params>, line 1: listening on eth1, capture length 8192 bytes
1339710831.110451 internal error in <params>, line 1: unexpected IP proto
in ICMP analyzer: 17
Aborted (core dumped)
root at browrk3:~/test# bro -w test.pcap -i eth1 record_all_packets=T
<params>, line 1: listening on eth1, capture length 8192 bytes
1339710836.652673 internal error in <params>, line 1: unexpected IP proto
in ICMP analyzer: 6
Aborted (core dumped)
root at browrk3:~/test#
root at browrk3:~/test# bro -w test.pcap -i eth1 record_all_packets=T
<params>, line 1: listening on eth1, capture length 8192 bytes
1339710843.062141 internal error in <params>, line 1: unexpected next
protocol in ICMP::DeliverPacket()
Aborted (core dumped)
root at browrk3:~/test# bro -w test.pcap -i eth1 record_all_packets=T
<params>, line 1: listening on eth1, capture length 8192 bytes
1339710850.854367 internal error in <params>, line 1: unexpected next
protocol in ICMP::DeliverPacket()
Aborted (core dumped)
root at browrk3:~/test# bro -w test.pcap -i eth1 record_all_packets=T
<params>, line 1: listening on eth1, capture length 8192 bytes
1339710855.403844 internal error in <params>, line 1: unexpected next
protocol in ICMP::DeliverPacket()
Aborted (core dumped)
root at browrk3:~/test# bro -w test.pcap -i eth1 record_all_packets=T
<params>, line 1: listening on eth1, capture length 8192 bytes
1339710859.580805 internal error in <params>, line 1: unexpected IP proto
in ICMP analyzer: 6
Aborted (core dumped)
root at browrk3:~/test# bro -w test.pcap -i eth1 record_all_packets=T
<params>, line 1: listening on eth1, capture length 8192 bytes
1339710865.303795 internal error in <params>, line 1: unexpected next
protocol in ICMP::DeliverPacket()
Aborted (core dumped)
root at browrk3:~/test# bro -w test.pcap -i eth1 record_all_packets=T
<params>, line 1: listening on eth1, capture length 8192 bytes
1339710867.725665 internal error in <params>, line 1: unexpected IP proto
in ICMP analyzer: 6
Aborted (core dumped)
root at browrk3:~/test# bro -w test.pcap -i eth1 record_all_packets=T
<params>, line 1: listening on eth1, capture length 8192 bytes
1339710872.459743 internal error in <params>, line 1: unexpected IP proto
in ICMP analyzer: 6
Aborted (core dumped)
root at browrk3:~/test# bro -w test.pcap -i eth1 record_all_packets=T
<params>, line 1: listening on eth1, capture length 8192 bytes
1339710875.625401 internal error in <params>, line 1: unexpected IP proto
in ICMP analyzer: 6
Aborted (core dumped)
root at browrk3:~/test# bro -w test.pcap -i eth1 record_all_packets=T
<params>, line 1: listening on eth1, capture length 8192 bytes
1339710878.200259 internal error in <params>, line 1: unexpected IP proto
in ICMP analyzer: 17
Aborted (core dumped)
root at browrk3:~/test# bro -w test.pcap -i eth1 record_all_packets=T
<params>, line 1: listening on eth1, capture length 8192 bytes
1339710882.961858 internal error in <params>, line 1: unexpected IP proto
in ICMP analyzer: 6
Aborted (core dumped)
root at browrk3:~/test# bro -w test.pcap -i eth1 record_all_packets=T
<params>, line 1: listening on eth1, capture length 8192 bytes
1339710885.948716 internal error in <params>, line 1: unexpected next
protocol in ICMP::DeliverPacket()
Aborted (core dumped)
root at browrk3:~/test# bro -w test.pcap -i eth1 record_all_packets=T
<params>, line 1: listening on eth1, capture length 8192 bytes
1339710888.620009 internal error in <params>, line 1: unexpected IP proto
in ICMP analyzer: 6
Aborted (core dumped)
root at browrk3:~/test# bro -w test.pcap -i eth1 record_all_packets=T
<params>, line 1: listening on eth1, capture length 8192 bytes
1339710890.593817 internal error in <params>, line 1: unexpected IP proto
in ICMP analyzer: 6
Aborted (core dumped)
root at browrk3:~/test# bro -w test.pcap -i eth1 record_all_packets=T
<params>, line 1: listening on eth1, capture length 8192 bytes
1339710894.223593 internal error in <params>, line 1: unexpected IP proto
in ICMP analyzer: 17
Aborted (core dumped)
}}}
From the debugger, I seem to be getting some garbage data in the packets.
Neither IP addresses is in our address space.
in /root/src/bro-git-20120611/src/ICMP.cc
(gdb) print ip->ip4->ip_src
$1 = {s_addr = 731220608} (43.149.138.128)
(gdb) print ip->ip4->ip_dst
$2 = {s_addr = 1882264748} (112.49.20.172)
(gdb) print icmpp->icmp_type
$3 = 1 '\001'
(gdb) print icmpp->icmp_code
$4 = 189 '\275'
On a different run, I had this for ICMP type and code, which look out of
range.
(gdb) print icmpp->icmp_type
$5 = 228 '\344'
(gdb) print icmpp->icmp_code
$6 = 115 's'
(gdb) print ip->ip4->ip_src
$18 = {s_addr = 1261144704} (75.43.138.128)
(gdb) print ip->ip4->ip_dst
$19 = {s_addr = 1828190024} (108.247.247.72)
--
Ticket URL: <http://tracker.bro-ids.org/bro/ticket/829#comment:14>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker
More information about the bro-dev
mailing list